Re: WARNING: Crypto software to be included into main Debian distribution
>>>>> "Florian" == Florian Lohoff <firstname.lastname@example.org> writes:
Florian> --i9LlY+UWpKt15+FH Content-Type: text/plain;
Florian> charset=us-ascii Content-Disposition: inline
Florian> Content-Transfer-Encoding: quoted-printable
Florian> On Sun, Feb 24, 2002 at 01:02:51PM -0500, Sam Hartman
>> I maintain openafs and krb5. Both of these programs are US
>> origin programs in non-us maintained by US maintainers. I
>> believe there are others.
Florian> Didnt know that - How does that fit into the picture.
Well, it has to go in non-us because it's crypto. I'm maintaining it
because I want to and because when I brought up the legal issues on
debian-legal over a year ago, no objected.
Once this stuff moves into main, it will be easier for me to convince
maintainers to add Kerberos support into their packages. That will
make our (or some of our) users happy.
>> But hey, guess what? We're using a different section of the
>> EAR to export our crypto. In particular, we're using 15 CFR
>> 740.13(e). =20 And guess what? That section says nothing about
>> items staying=20 subject to the EAR after export. =20
Florian> What i also meant was the reexportation by automation
Florian> which one could interpret as a knowingly shipment to T7
A) It is not reexportation (see defn of reexportation below)
B) The fact that it is automated doesn't matter.
For something to be illegal it has to break some specific law. It's
illegal for me to export to a t7 country.
The law is written in terms of specific actions. If there were a law
that stated that it was illegal for me to cause some software to be
exported to a t7 country then your reasoning is incorrect.
However the law only says it is illegal for me to knowingly export to
a T7 country. That's knowingly export--not knowingly cause an export
So for me to violate the law I actually have to be doing the export.
Thus to determine if it is legal for me to give you crypto we need to
look closely at the definition of export. I've done so (looked at the
specific definition of export in the US law) and as far as I can tell,
I'm not exporting to a T7 country when I export to you, even if you
may end up exporting to a T& country later. If I'm not exporting to a
T7 country, then I cannot be knowingly exporting.
The same argument applies for an automated script. For there to be a
knowing export to a T7 country, there must be an export to a T7
There's a bit of complexity involved if the purpose of my export to
you is to get around the law. In that case, me exporting to you might
be considered an export to a T7 country. Actually, I think what
happens is that there's case law that says it is illegal to take some
action just to get around the law. But that doesn't apply in any of
the cases here. I'm exporting to you so you can run a mirror. I'd
export to you even if you hated the T7 countries even more than the
US. It should seem clear even to a court that Debian is not moving
crypto into main just to set up a complex situation so we can export
to T7 countries from the US.
>> I think you're confused
>>about the definition of re-export as >> well. As far as I can tell
>>under US law, a re-export is when >> an item imported to the US is
>>exported again, not when an item >> exported from the US to another
>>country is exported again from >> that country. That might be a
>>re-export under that country's >> laws, but not in general under US
Florian> Thats the US centric view -
First, it is not just a US-centric view. It's what is stated in the
law. There's a huge section that defines terms. One thing it defines
is export and re-export. And hey, if we are talking about a
particular law we should use the definitions from that law. Those are
the definitions the court will use to convict or fail to convict for
violations of that law.
Even if the EAR defines putting code on a website as exporting that
code (which it does), then we need to use that definition of export
when we're talking about the law. Under a common English
interpretation of export, I would not expect putting US code on a US
website to be an export. But because the law says that's an export,
for the purposes of this discussion we would be silly not to consider
that an export.
Just so, if the law says something is not a re-export or is not an
export, we would be foolish to make up our own definitions (even if
they seem more reasonable) and apply the text of the law to those
Florian> From my view this means - We are importing the crypto
Florian> stuff from the US to Germany - And then ME as the mirror
Florian> maintainer i export the stuff to t7 countries e.g. as
Florian> Which means in the end that any upload to the main site
Florian> is a knowingly export to T7 countries (in the end)
Yeah, but as I said earlier, it is not the consequences that matter
but the specific actions. The export to you as a mirror maintainer is
legal under US law. Your export to a T7 country is legal under US law
because you are not a US person and the crypto code is no longer a US
item. (US person is a term of law; US item is my own term--I could go
look at the specific text for what terminology they use.)
>> The maintainer, not Debian, is doing the export. Every time I
>> upload new software to pandora, I am exporting from the US. I
>> have the option of either violating US law or notifying the BXA
>> of my export. Not surprisingly, I choose to notify the BXA
Florian> The point i made is that in the future all incoming
Florian> queues + master site may be in the US - There are
Florian> hundrets of full and partial mirrors access that site and
Florian> exporting to "good" parts of the world. There are some
Florian> bad guys over there in Cuba (Sorry - US speech) which
Florian> mirror from a site e.g. in Germany. Now - One might
Florian> interpret as a knowingly exportation to T7 countries.
One might. The interesting question is whether an American court,
looking at the definition of export and knowing export would interpret
it that way.
I think the answer is no having read those definitions. If you want
to go read the law, read the definition of export, re-export, knowing
export, and explain how I'm wrong, that would be a mildly interesting
Florian> is to blame ? The DPL ? No - From my guess the'll go
Florian> after the individual maintainers who send stuff to the
Florian> normal queue and from that on do a knowingly (multi-step)
Florian> export to T7 countries.
Or the ftpmasters or the people running the servers in the US.
Actually in practice, what they'll do is send us a formal letter
telling us to stop. It doesn't look good to try and convict a bunch
of volunteers writing free software for exporting stuff to Cuba when
you could just send them a legal order telling them to stop doing it.
It seems to me fairly clear what we are doing is reasonable. It
seemed clear to the lawyer as well. So while Debian should seriously
consider any legal threats from the US government, if we are failry
sure that what we are doing is legal and no such threat will be
coming, going forward seems reasonable.
Now you are correct that the US government could have written the law
such that taking actions I knew would lead to exporting to T7
countries is illegal. If they did that, this entire situation would
be more complex. Fortunately they did not do so.
Florian> Am i just too paranoid ? I feel uncomfortable with the
Florian> point that there might be legal DoS possible against a
Florian> very important part of Debian=20 the package pool and its
Florian> automatic distribution to mirrors.
Might is way too weak of a word. There are so many ways of mounting a
layer-9 (policial/legal) DOS against debian it's not funny. Send a
bunch of DMCA copyright complaints. Send a bunch of patent
letters. The US could assert (it's about as likely as anything that
you have proposed) that
1) Debian is a US organization (false but the US might easily believe
2) Debian runs non-us.debian.org
3) Thus non-us.debian.org must follow US export laws even though it is
not in the US.
Note that if Debian were a US corporation then all three of these
points would be clearly true. I think that you do not understand the
law well enough for the level of paranoia you are implying. Please
read over http://www.access.gpo.gov/bxa/ and look at the definitions
of export, re-export etc before continuing this discussion.